Working With the Default Keystore
IDM generates a number of encryption keys in a JCEKS keystore the first time the server starts up. These keys map to the secrets defined in "Mapping SecretIDs to Key Aliases". Note that the keystore, and the keys, are generated at startup and are not prepackaged. The keys are generated only if they do not already exist. You cannot specify custom aliases for these default keys.
To use a different keystore type, such as PKCS #12, create the keystore and generate the keys before you start IDM. This prevents IDM from generating the keys on startup. You can also convert the existing JCEKS keystore to a PKCS #12 keystore. If you use a different keystore type, you must edit the
openidm.keystore.type property in the
openidm/resolver/boot.properties file to match the new type.
Use the keytool command to list the default encryption keys, as follows:
keytool \ -list \ -keystore /path/to/openidm/security/keystore.jceks \ -storepass changeit \ -storetype JCEKS
Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 5 entries openidm-sym-default, Nov 5, 2019, SecretKeyEntry, openidm-jwtsessionhmac-key, Nov 5, 2019, SecretKeyEntry, selfservice, Nov 5, 2019, PrivateKeyEntry, Certificate fingerprint (SHA-256): E9:0B:BA:FB:58:73:02:FC...:7B openidm-selfservice-key, Nov 5, 2019, SecretKeyEntry, openidm-localhost, Nov 5, 2019, PrivateKeyEntry, Certificate fingerprint (SHA-256): 21:50:6C:90:C7:A7:F7:32...:1B
If you are using IDM in a cluster, you must share these keys among all nodes in the cluster. The easiest way to do this is to generate a keystore with the appropriate keys and share the keystore in some way, for example by using a filesystem that is shared between the nodes.